Address comments

Author: minggangw

lib/runtime/transports/http.js

@@ -606,6 +606,12 @@ class HttpTransport extends TransportAdapter {
    * `cors` is disabled. For an allow-list, the request `Origin` is echoed
    * only when it matches (and `Vary: Origin` is set so caches don't mix
    * responses across origins).
+   *
+   * `Access-Control-Allow-Headers` reflects the browser's
+   * `Access-Control-Request-Headers` when present, so authenticated or
+   * custom-header requests (`Authorization`, `X-*`, …) pass preflight
+   * rather than being limited to `content-type`. The reflected value is
+   * added to `Vary` to keep caches correct.
    */
   _applyCors(req, res) {
     if (!this.cors) return;
@@ -620,7 +626,15 @@ class HttpTransport extends TransportAdapter {
       }
     }
     res.setHeader('access-control-allow-methods', 'GET, POST, OPTIONS');
-    res.setHeader('access-control-allow-headers', 'content-type');
+    // Echo whatever headers the browser says it will send; fall back to
+    // `content-type` for non-preflight requests that carry no such hint.
+    const requested = req.headers['access-control-request-headers'];
+    if (requested) {
+      res.appendHeader('vary', 'Access-Control-Request-Headers');
+      res.setHeader('access-control-allow-headers', requested);
+    } else {
+      res.setHeader('access-control-allow-headers', 'content-type');
+    }
     res.setHeader('access-control-max-age', '86400');
   }
 }